ICO fines Uber £385,000 following its 2016 data breach

The penalty follows an investigation by the watchdog into Uber’s 2016 data breach

The Information Commissioner's office (ICO) has fined mobile taxi-hailing juggernaut Uber 385,000 for failing to protect customer data in its devastating data breach scandal back in 2016.

The incident was a "serious breach of principle seven of the Data Protection Act 1998", said the ICO, and had the potential to expose the affected customers and drivers to increased risk of fraud being carried out against them.

Advertisement - Article continues below

The fine follows another one issued to the company recently in September. After agreeing to terms with all 50 American states and the District of Columbia, Uber agreed to pay $148 million for failing to notify its drivers that their details had been stolen.

The October 2016 data breach in question affected 57 million of the company's drivers. Names, email addresses and phone numbers of over 50 million drivers were stolen and around 7 million drivers were affected, with hackers accessing around 600,000 US driver's license numbers.

In the UK, more than 2.7 million of its British customers and drivers were affected too. Again, names, email addresses and phone numbers were all stolen in the hack and according to an ICO investigation, records of almost 82,000 drivers based in the UK had details of journeys made and how much they were paid stolen.

Advertisement - Article continues below

"This was not only a serious failure of data security on Uber's part, but a complete disregard for the customers and drivers whose personal information was stolen," said Steve Eckersley, ICO Director of Investigations. "At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable."

The data was stolen as a result of "a series of avoidable security flaws" in Uber's cloud-based storage system operated by Uber's US parent company. The ICO investigation also found how Uber's data storage was breached. A process called 'credential stuffing' was used which involves taking compromised username and password pairs and plugging them into websites until user account details were found, which were then used to gain access to the cloud-based storage system.

Advertisement - Article continues below

"We're pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we've made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since," said an Uber spokesperson. "We learn from our mistakes and continue our commitment to earn the trust of our users every day."

Following the data breach, it was reported that Uber paid the hackers $100,000 ($78,000) for their silence so it could silently cover up the incident behind closed doors.

"Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack," said Eckersley. "Although there was no legal duty to report data breaches under the old legislation, Uber's poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected."

Reports also claim Uber's former CEO Travis Kalanick knew about the breach for over a year. He was forced out of the company in June 2017 amid allegations of sexism and poor working practices.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now


Business strategy

Uber, WeWork cause SoftBank to lose 99% of quarterly profit

12 Feb 2020
Business strategy

Uber car involved in fatal crash had software flaws

6 Nov 2019

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020